Finally get to watch it live and be in the chat room - HiP_P

Best show on twit as far as real value is concerned. - Dale

WOW.... not good about bank malware - HiP_P

Hmm.. Imade a brief comment about 10 mins ago but had to reboot from a patch install but now it's gone. ?? I still say that SN is the most valuable netcast on TWiT TV. - Dale

I see it there Dale - Leo Laporte

That's just weird.. and the thread is not collapsed either. At least there nothing indicating it is. I'll try another refresh. - Dale

It's back - refreshing the page did it. - Dale

Buy.com controversy http://news.cnet.com/8301-10... - Nils Sandin

cheers Nils - HiP_P

This is sort of security related---Happy Sysadmin Appreciation day to all those sys admins that keep us safe and secure! - Larry Roth

Question [ 01 ] - "FireXware" in Canada wrote with the subject: SpinRite and SecurityNow got me a job and a new hard drive! Hello, I am a security now fanatic, I started listening only a few months ago and have finally caught up. I am pleased to say that I have finally had a chance to use SpinRite in a real data recovery situation. Being 16 years old, and the only tech savvy person in the house, my mother came to me with a laptop that would not boot, I turned it on, saw the BSOD and instantly knew what to do. I pulled out my copy of spinrite, let it run on level 2 for an hour or so, and to my mother's amazement the laptop booted like new. This impressed her so much that she wanted me to come into her office and help out with some tech problems, also to develop some software for her to make life at work easier for her team. One of my tasks was to fix a laptop that would not connect to the network. I saw that the network was secured using the terrible WEP protocol, I asked my mother for the password, and well.. let's just say I started laughing harder than ever when I discovered that their WEP key is the first 5 digits of the office phone number. I was shocked, so I started talking about security with my mother who is the most tech savvy person in the office. I discovered that every user used the same password! and it just happened to be the password is the one first on the list on many of the password cracking word lists! Using my knowledge gained from listening to security now, I wrote up a quick proposal that described the threats and vulnerabilities the network was susceptible to, and how to fix it. After the manager of the company had read this he hired me to fix the security holes. Just today I have earned enough money working that I am able to afford a new 1TB hard drive which I have been wanting for ages. I will definitely be periodically spinriting the drive. Thank you so very much for your amazing piece of software, and equally amazing source of security,... more... - Leo Laporte

Question [ 02 ] - Chris in Australia wonders about the new attack on AES-256... I'm sure you will cover the new attack on AES that reduces the complexity for recovering an AES256 key to 2^119 (and possibly less): see Bruce Schneier’s blog. I have read that this attack does not affect AES128. Why is that? And, if this attack cannot be modified and applied against AES128, does that mean that AES128 (with a complexity of 2^128) is now more secure than AES256 (with a complexity of 2^119)? - Leo Laporte

hi from georgia - daveccorey

Question • [ 03 ] - John Hughan in San Francisco, California has a cure for Jet Lag... Hey Steve and Leo, I heard that the two of you (especially Leo) sometimes have trouble with jetlag. I wanted to mention a book that I've used that has helped eliminate jetlag, no matter which direction I'm traveling or how many time zones I'm crossing (I've done up to 10). Evidently it's based on a handbook that the military uses and it primarily involves eating certain kinds of foods at certain times starting a few days before the flight. The book is called "Overcoming Jet Lag" by Charles F. Ehret. You shouldn't have any problem finding it on Amazon or other booksellers. - Leo Laporte

Reading can make one drowsy so I can see that as a good patch for jetlag. - Dale

Question [ 04 ] - John Kennedy from Metairie, LA asks Steve to touch the bleeding edge... Hi Steve, I am a long time SpinRite customer and Security Now listener. On the Security Now netcast, I often hear you comment that you do not use current software versions because they are unstable and unproven. Some examples that come to mind are your comments on sticking with Windows XP and FireFox 3.5 even though 3.5.1 is now available. As a computer consultant and software developer for the past 25 years, I appreciate, respect and agree with your position. From a consultant's perspective, I do not like my clients using the latest versions of products or patches for the same reasons you mention. However, as a consultant, I have a responsibility to use and test the new versions of software and patches to insure their benefits and side effects, thus becoming the guinea pig. As I listened to your latest Security Now episode, a thought hit me; I wonder if Steve would consider breaking from his policy and providing review and analysis of version updates and patches. Of course, by “breaking policy”, I don't mean using these updates in your production environment. I was thinking more in terms of using a virtual or test machine solely for evaluating updates. I believe your perspective and the level of analysis that you bring would be of tremendous benefit to your listeners. Right now, I believe most of the information that surfaces with each software update is from a journalistic perspective. It would be great to have technical information and review from a respected and trusted person such as yourself. Please give this some thought and consideration. Thanks for your work on Security Now and I'm looking forward to your other works in progress. - Leo Laporte

[ 05 ] - Andrew McKinnon in Brisbane Australia wonders about his iPhone's Internet address: Hi Steve and leo, My question relates to the iPhone: Basically until a month ago my iPhone was reading my IP address as 144.233.xxx.xxx, however on recent days it has been reading 10.1.xxx.xxx. Am I right in assuming that my iPhone is now being proxied by my ISP as this seems like a private address from a router much like I find in my home netcomm. Funny thing is my iPhone only does this in certain areas and it's always on cell networks. I don't use the WiFi component of it. If my ISP is proxying my traffic what is the purpose of this and why do they only need to do it in certain areas? - Leo Laporte

Question [ 06 ] - Kevin Ghadyani from Overland Park, KS worries about the number of HTML errors and warnings on the Security Now! page of GRC... 13,853 errors and 24 warning(s) says the W3C validator!! I thought you would've fixed yours because you're like that, but even msn.com validates. I'm extremely surprised to see this, and would hope you'll fix the errors over time. I've never personally seen so many errors in my life. I run a site, badmarkup, which I use to talk about this stuff and when I get some time this year sometime in October, I will be going around looking for this stuff. Please don't let me have to discuss GRC on the site. - Leo Laporte

Question [ 07 ] - Mike V in Greeley, CO *really* wants security... NOTE: I am totally ok with you reading this on the show. Hey, Steve. I'm only 14, but I love your podcast and every episode is a journey into the complex world of security. I wish I could say that I've listened to every one of your episodes, but I just started tuning in in March. I have a system for mobile USB security that I wanted to make sure was totally safe: I have encrypted all of my files on my USB drive with Truecrypt, with a password from your Perfect Passwords system. The password for that, is stored in a text file on the drive, which I encrypted with 7zip. The password for that zip file is another Perfect Password, which is stored, in a text file, on a separate thumb drive that I always carry with me. And THAT text file is in a ZIP with a password that I have memorized. So tell me ... am I going too far with this encryption? I don't hang around computer hacker conventions too much, but I am worried about people getting to my passwords through Firefox portable and Google Chrome Portable. Do you think this is a viable method, or is there a better way to make USB drive 100% secure? Thanks for the show, and best wishes for the future. - Leo Laporte

Question [ 08 ] - 16-year old Scott in Upstate New York makes a brilliant observation about Firefox Privacy... Steve and Leo, I am 16 years old and have been listening to Security Now since episode 25. Your show has taught me everything I could want about security and how my computer and the Internet works. Keep up the great work! Anyway, a few episodes ago, you discussed how Firefox remembers how you zoomed the page of a website you visited. I had noticed this in the past, but didn't know it was a 'feature.' The question is: is this a security/privacy concern? Firefox retains the zoom setting even after you have cleared private data. Therefore, it must be saving the websites you have zoomed somewhere. This cache denies you the plausible deniability and privacy provided by the clearing of your history, cookies, etc. I poked around about:config, but this shed no light on my question. So, is it a security/privacy concern, or am I blowing it out of proportion?? P.S. No SpinRite yet--my parents won't buy it until something fails. But you can guess what I am going to do with my first paycheck. ☺ - Leo Laporte

Question [ 09 ] - Patti Clark an early CompuServe employee in Knoxville, TN remembers with us... Hi, Steve and Leo. I was listening to episode 205 on Lempel and Ziv when my ears perked up on the CompuServe segment. I spent most of the 1980's as an employee of CompuServe. You were correct when mentioning that CompuServe was a time-sharing company and H&R Block was their parent. The computers behind the Consumer Information Service were DEC System 10s and 20s. I had the pleasure of working with one of the system programmers who had pulled together a handful of games and created the forum (precursor to bulletin boards and chat rooms) software. The idea was indeed to do something with all of that computing power that was sitting mostly idle during the evening hours. It surprised management when it took off and ultimately became what the company will be known for in history. AOL bought the company from H&R Block some time back. Back then modems started as 300 baud acoustic couplers, then 1200 and 2400 baud modems were comparatively fast. Everything was text-based. We were on the “bleeding edge” when we brought email to larger corporations and the federal gov't. Sorry, my reminiscent hat slipped on. Anyway, I enjoy your program and I learn something new each week. Thank you, Patti Clark - Leo Laporte

Question [ 10 ] - David Cox in Colorado Springs reports that Security Now! almost killed him!... Hi Steve, I began listening to Security Now! shortly after you and Leo began with episode one, while I was stationed in Cornwall, England with the U.S. Navy. I drove one of those tiny Smart cars back then, you know, the poor man’s Mercedes. It was called a “Smart for Two” and they are slowly growing in popularity now here in the States. Fantastic gas mileage and easy parking ANYWHERE. No, I haven't totally lost it . . . there is actually a point to this rambling: . . . So I am driving to work one early morning on those very small and windy English roads, listening to the latest Security Now! episode. It was dark, rainy and foggy and I was completely lost in your show. Suddenly, less than 30 feet in front of me, a huge lorry (a big ass truck) went flying past me from right to left. I had been driving this road for several years already, and knew my turn was up there. But as I said, at that time I wasn't in England driving to work. Rather I was sitting somewhere in Irvine at a Starbucks with my Venti Caramel Macchiato, totally engrossed in what Steve and Leo had to say about information systems security (by the way, I was the Information Assurance Manager for my duty station at the time). Ok, so back on this wet road in the dark fog, I suddenly snapped to reality, yanked the steering wheel counter-clockwise as hard as I could and miraculously found myself directly behind the truck that woke me up from security school. I don't know how the car didn't flip over, or how I avoided the oncoming traffic. Or why my driving instincts were so damned good that one early morning. All I know is . . . I lived to listen to many more of your podcasts, which incidentally have since gotten me through diagnoses of leukemia, a bone marrow transplant, and now lung disease and possible double lung transplant. Your shows have kept me sane and given me something fun and informative to look... more... - Leo Laporte

Question[ 11 ] - Robert Antman in Los Angeles has a thought about “Perfect Passphrases...” Dear Steve, Thank you for providing the Perfect Passwords service on your website. This password generator is perfect for many applications, such as generating a pseudo-random WPA password. But it is not so perfect in other applications, such as generating a pseudorandom passphrase for typing into TrueCrypt, because it is almost impossible (at least for me) to memorize a long string of random gibberish. It's especially difficult if you plan on changing your passphrase periodically. As an example, if I wanted a pseudorandom passphrase that provided 128 bits of entropy, and I restricted the character set to alphanumeric characters only (a-z, A-Z, 0-9), the passphrase would need to be 22 characters long. (128/log2(26+26+10) = 21.4) ("ud2ZGH7Nr1XSZTWUE7lvSk". That is an example of a 22 character pseudorandom passphrase from your Perfect Passwords page). I claim it is much easier to remember a passphrase consisting of random words (random English words in my case). Would you consider coding a Perfect Passphrase generator for your website? The Second Edition of the Oxford English Dictionary contains entries for 171,476 words. If you could obtain a list of the most common 65,536 (2^16) English words, then you can take 16-bit chunks of your pseudorandom number generator and use it as index into the word list. Display that word and repeat the process to produce the random passphrase. For example, to provide a passphrase with 128 bits of entropy, you would only need 8 words (128/16) – “ decompose ironic humid fizzle muslin purchase guacamole mazeltov”. There, isn't that easier to memorize? I made that list by flipping open a dictionary and pointing at words at random. There are some who would claim that the use of a passphrase consisting of ordinary words is susceptible to a dictionary attack, but that is not necessarily true. Provided that the words are chosen at random and you choose enough of them, a random list of words is every bit as secure as a random string of characters. - Leo Laporte

Question [ 12 ] - Jeff, hiding out somewhere in the USA doesn't want to blink! Subject: RFID in credit card - should I run and not walk away? Steve, My Chase credit card was approaching its expiration date and I received the new card in the mail. My new card came with a feature called Blink (a.k.a. RFID Chip). The average person probably thinks that waving a card in front of a terminal instead of swiping is the neatest thing since sliced bread. As an avid Security Now listener, I'm not so sure about that. How much am I at risk? Should I wrap my card in foil or request a replacement without the RFID chip? I don't mind having this Blink feature as long as I'm not at risk of loosing everything in the "blink" of an eye. - Leo Laporte